Security Groups don't support protocol 4 (ip-in-ip) and returns 500
Bug #1716045 reported by
German Eichberger
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Brian Haley |
Bug Description
When trying to create a security group with protocol 4 Neutron returns 500:
stack@octavia:
Error while executing command: Internal Server Error (HTTP 500) (Request-ID: req-d1e3eb48-
I tried this on devstack so it should be pretty easy to reproduce. Ideally I would like to see IP-in-IP supported but a better error message might be a first step.
To post a comment you must log in.
The actual error is:
ValueError: Field value 4 is invalid
Which is most likely due to the fact that we're validating againt IP_PROTOCOL_MAP from neutron-lib, which doesn't include IP, just upper-layer protocols.
A fix for IP-in-IP, or more generally, IPvX-in-IPvX, would take an investigation to determine what the iptables and OVS support is for it and how to program it into the ruleset. We'd also have to check that conntrack supports it.